Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616.dll
Resource
win7-20241010-en
General
-
Target
2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616.dll
-
Size
1.3MB
-
MD5
78cd435c2bb78c951eb88ade80c5c5fe
-
SHA1
c3c5629d2b6dad9a6e91b917829b3815ec8eaa7a
-
SHA256
2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616
-
SHA512
ac4221b69e7ffa70660d891af300cfeba463c1cd3f3581529f9b6c94c88d9e547a7df2f2c21e499a3034044d76452da42f7bbc041c9787629f75f7c8b1a97689
-
SSDEEP
12288:JXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:FB/Qn0rbD8UZUDtgIiemI51Mwtewkm
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1344-4-0x0000000002A70000-0x0000000002A71000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2380-1-0x000007FEF8000000-0x000007FEF814A000-memory.dmp dridex_payload behavioral1/memory/1344-22-0x0000000140000000-0x000000014014A000-memory.dmp dridex_payload behavioral1/memory/1344-29-0x0000000140000000-0x000000014014A000-memory.dmp dridex_payload behavioral1/memory/1344-40-0x0000000140000000-0x000000014014A000-memory.dmp dridex_payload behavioral1/memory/1344-41-0x0000000140000000-0x000000014014A000-memory.dmp dridex_payload behavioral1/memory/2380-49-0x000007FEF8000000-0x000007FEF814A000-memory.dmp dridex_payload behavioral1/memory/2884-60-0x000007FEF8000000-0x000007FEF814B000-memory.dmp dridex_payload behavioral1/memory/2884-62-0x000007FEF8000000-0x000007FEF814B000-memory.dmp dridex_payload behavioral1/memory/1136-95-0x000007FEF7ED0000-0x000007FEF801B000-memory.dmp dridex_payload behavioral1/memory/1136-98-0x000007FEF7ED0000-0x000007FEF801B000-memory.dmp dridex_payload behavioral1/memory/836-134-0x000007FEF7EC0000-0x000007FEF8011000-memory.dmp dridex_payload behavioral1/memory/836-138-0x000007FEF7EC0000-0x000007FEF8011000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2884 lpksetup.exe 1136 mstsc.exe 836 FXSCOVER.exe -
Loads dropped DLL 7 IoCs
pid Process 1344 Process not Found 2884 lpksetup.exe 1344 Process not Found 1136 mstsc.exe 1344 Process not Found 836 FXSCOVER.exe 1344 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\mDtcxE\\mstsc.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpksetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 rundll32.exe 2380 rundll32.exe 2380 rundll32.exe 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found 1344 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1344 wrote to memory of 2832 1344 Process not Found 30 PID 1344 wrote to memory of 2832 1344 Process not Found 30 PID 1344 wrote to memory of 2832 1344 Process not Found 30 PID 1344 wrote to memory of 2884 1344 Process not Found 31 PID 1344 wrote to memory of 2884 1344 Process not Found 31 PID 1344 wrote to memory of 2884 1344 Process not Found 31 PID 1344 wrote to memory of 264 1344 Process not Found 32 PID 1344 wrote to memory of 264 1344 Process not Found 32 PID 1344 wrote to memory of 264 1344 Process not Found 32 PID 1344 wrote to memory of 1136 1344 Process not Found 33 PID 1344 wrote to memory of 1136 1344 Process not Found 33 PID 1344 wrote to memory of 1136 1344 Process not Found 33 PID 1344 wrote to memory of 940 1344 Process not Found 34 PID 1344 wrote to memory of 940 1344 Process not Found 34 PID 1344 wrote to memory of 940 1344 Process not Found 34 PID 1344 wrote to memory of 836 1344 Process not Found 35 PID 1344 wrote to memory of 836 1344 Process not Found 35 PID 1344 wrote to memory of 836 1344 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵PID:2832
-
C:\Users\Admin\AppData\Local\2Ntdy\lpksetup.exeC:\Users\Admin\AppData\Local\2Ntdy\lpksetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2884
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:264
-
C:\Users\Admin\AppData\Local\oFkZ3KyV\mstsc.exeC:\Users\Admin\AppData\Local\oFkZ3KyV\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1136
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:940
-
C:\Users\Admin\AppData\Local\Ndg9znpaL\FXSCOVER.exeC:\Users\Admin\AppData\Local\Ndg9znpaL\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51c16d07184d7e3bb22a76f0f38ee96c1
SHA1df70b01870bd776118cd0b20c068aaba932702d7
SHA25605d04c9ea336912d2bd709d24127d6d968b87ad427fa887126ff3794ade134bd
SHA5129edc0f58619b6159f1fd7fcd1fb0be061ad7c8bbd5fddc37ce008288226f4dfd3c8a5b3ef1f1783485b7b9967cf86886b25f358e2298e0178d59d799aa924ec1
-
Filesize
638KB
MD550d28f3f8b7c17056520c80a29efe17c
SHA11b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA25671613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA51292bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861
-
Filesize
1.3MB
MD552f0bd4b796e5cb7cb555fc0341c59bd
SHA13776d52eefe28acb51c7ca7bdca000f01f3add80
SHA2564f48b38a1147ec1af63233d2213a44540eec34276763f728e9be0ac313ccf663
SHA512e7ab5a309f4f6b4655c989b876333173c2149200dc1ec00c6c2c5c58da8fc15906a3e63ff7ef45fc34d864e2a96effdae835c28e938c5b6040260e271250ba0c
-
Filesize
1.3MB
MD5561a76f34f2dc7769efe2118d967fc58
SHA1d845f98cd79d1c8b08b52bbbd92c6a640c0108c7
SHA25696ad827c72ed2fcea2958f566d71770e6d6865014b276edb3cf565eb736b17e4
SHA512c1434397a3b1050caaee4836f5ac18ea30f3f121e10a4704f37982f18007353bc87d8e3b9e8cc738ae8cce9c4d3c37def47049098b3d3fe6e8bb874d28b5cc54
-
Filesize
1.1MB
MD550f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8
-
Filesize
971B
MD56fe866815ca7b0f0ba4459fd5c1afad9
SHA1a20e03d8474db8536c75f47ddefc1c0f7332d1ad
SHA2563e3f87d90249c49a9a7c787dfcece3a90995f14de034e09f483106c1df864460
SHA512a98d886fcd9978635fb2fda1a4c2b5bed277b3f52fff21c072da07e47d23c30560cec1be43e9e901bd648f6f528c40f50d9dfb539fba4738f0a55692fff6999e
-
Filesize
261KB
MD55e2c61be8e093dbfe7fc37585be42869
SHA1ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA2563d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA51290bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b